b'AUDIT OF SBA\'S FY 2009 FINANCIAL STATEMENTS\xc2\xad \n\n           MANAGEMENT LETTER \n\n                   Report Number: 10-06 \n\n              Date Issued: December 15,2009 \n\n\n\n\n\n                    Prepared by the \n\n              Office of Inspector General \n\n          U.S. Small Business Administration \n\n\x0c             U.S. Small Business Administration\n             Office Inspector General\n                                                    Memorandum\n     To: \t   Jonathan L Carver                                     Date:   December 15,2009\n             Chief Financial Officer\n             Ilsl Original Signedl\n  From: \t    Debra S.-Ritt \n\n             Assistant Inspector General for Auditing \n\n\nSubject: \t   Audit of SBA\'s FY 2009 Financial Statements - Management Letter\n             Report No. 10-06\n\n             Attached is the Management Letter issued by KPMG LLP that identifies\n             matters that came to its attention during the audit of SBA\'s FY 2009\n             financial statements. The audit was performed under a contract with the\n             Office of Inspector General (OIG) and in accordance with Generally\n             Accepted Government Auditing Standards; Office of Management and\n             Budget\'s (OMB) Bulletin No. 07-04, Audit Requirementsfor Federal\n             Financial Statements, as amended; the Government Accountability Office\n             (GAO)/President\'s Council on Integrity and Efficiency (PC IE) Financial\n             Audit Manual; and GAO\'s Federal Information System Controls Audit\n             Manual.\n\n             KPMG addressed recommendations to the Chief Human Capital Officer;\n             Chief Information Officer; Directors for the Processing and Disbursement\n             Center, Office of Financial Program Operations, and Office of Surety Bond\n             Guarantees; and to you. We provided a draft ofKPMG\'s report to each of\n             these officials or their designees, who concurred with the fmdings relative to\n             their respective areas. The officials or designees agreed to implement the\n             recommendations or have already taken action to address the underlying\n             conditions.\n\n             Should you or your staff have any questions, please contact Jeffrey R.\n             Brindle, Director, Information Technology and Financial Management\n             Group at (202) 205-[FOIA ex. 2]\n\x0c                               KPMG LLP\n                               2001 M street, NW\n                               Washington, DC 20036\n\n\n\n\n                                             MANAGEMENT LETTER\n\n\n\nNovember 13,2009\n\n\nCONFIDENTIAL\n\nOffice of the Inspector General,\nU.S. Small Business Administration, and\nAdministrator of the SBA:\n\n\nWe have audited the consolidated financial statements of the U.S. Small Business Administration (SBA)\nfor the year ended September 30, 2009, and have issued our report thereon dated November 13,2009. In\nplanning and perfonning our audit of the financial statements of SBA, we considered internal control in\norder to detennine our auditing procedures for the purpose of expressing our opinion on the financial\nstatements. An audit does not include examining the effectiveness of internal control and does not provide\nassurance on internal control. We have not considered internal control since the date of our report.\n\nDuring our audit, we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management, are intended to improve internal control or result\nin other operating efficiencies and are presented in Exhibit I. The status of prior year comments is\npresented in Exhibit II.\n\nOur audit procedures are designed primarily to enable us to fonn an opinion on the financial statements\nand, therefore, may not bring to light all weaknesses in policies or procedures that may exist. We aim,\nhowever, to use our knowledge of SBA gained during our work to make comments and suggestions that\nwe hope will be useful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThis report is intended solely for the infonnation and use of the Office of the Inspector General,\nmanagement, and others within the organization and is not intended to be, and should not be, used by\nanyone other than these specified parties.\n\n\n\n\n                                   r:Q,\')~~ L~~,~!           ;,. :-,   gm:~,>.:;\'   l:",b"i,y   r,M1:~-i~~"h,.;. ~1 t:i;, \'..-: ~"\n                                   r",   ==:l..r,,; t: :r,;,,";   ~(.",1i."1 t~l"::;<",t(.,, ... \' !- \')~,.,~\'i- .c\'~~\'i..l\xc2\xb7~-\'<"i!;~".\n\x0c                                                                                                  Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY2009 \n\n\n\nLACK OF MANAGEMENT REVIEW OVER SERVICE ORGANIZATION STATEMENT ON\nAUDITING STANDARDS (SAS) No. 70, SERVICE ORGANIZATIONS, TYPE II PROCEDURES\n\nCondition:\n\nStatement of Federal Financial Accounting Standards (SFFAS) 31, Accounting for Fiduciary Activities,\nbecame effective as of October I, 2008. The SFFAS requires Federal entities to include two note\ndisclosures providing information about fiduciary activities in their financial statements. SBA has\nfiduciary activities for both its 7(a) and 504 programs. At SBA, the Master Reserve Fund (MRF) and\nMaster Reserve Account (MRA) are considered funds in which SBA accounts for fiduciary activity. The\nMRF is an account through which all payments from underlying loans and remittances to trust certificate\ninvestors flow for 7(a) loans that have been sold onto the secondary market. The MRA performs the\nsame function for the 504 Certified Development Company debentures. Reporting on the MRF and MRA\nactivity is provided to SBA by its Fiscal Transfer Agent (FTA), Colson Services Corporation (Colson).\n\nThe use of an FTA to service and process fiduciary activity for the MRF and MRA, in addition to other\nservices, results in SBA relying on the controls of a third-party service organization. Therefore, an annual\nSAS 70 Type II report is submitted by Colson providing an assurance statement on controls over the\nactivities for which it performs for SBA. KPMG noted that with the implementation of SFFAS 31, the\ncontrols surrounding the MRA and MRF tested as part of the Colson SAS 70 review directly impact\nSBA\'s financial reporting.\n\nKPMG inquired of management if it had planned for any additional objectives in its fiscal year 2009 SAS\n70 Type II audit, or mitigating compensating controls to address the financial reporting requirements of\nSFFAS 31. Based on our inquiry, we determined that SBA did not take into consideration the impact of\nSFFAS 31 on Colson\'s SAS 70 procedures.\n\nCriteria:\n\nOffice of Management and Budget (OMB) Circular A-123, Management\'s Responsibility for Internal\nControl, states:\n\n"Management is responsible for developing and maintaining effective internal control. Effective internal\ncontrol provides assurance that significant weaknesses in the design or operation of interniil control, that\ncould adversely affect the agency\'s ability to meet its objectives, would be prevented or detected in a\ntimely manner."\n\n"Control weaknesses at a service organization could have a material impact on the controls of the\ncustomer organization. Therefore, management of cross-servicing agencies will need to provide an\nannual assurance statement to its customer agencies in advance to allow its customer agencies to rely\nupon that assurance statement. Management of cross-servicing agencies shall test the controls over\nthe activities for which it performs for others on a yearly basis. These controls shall be highlighted in\nmanagement\'s assurance statement that is provided to its customers. Cross-servicing and customer\nagencies will need to coordinate the timing of the assurance statements."\n\n\n\n\n                                                                                                          1\n\x0c                                                                                               Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                     Management Letter Comments \n\n                                             FY 2009 \n\n\n\nCause:\n\nSBA does not have a process in place to evaluate the appropriateness of Colson\'s SAS70 Type II\nprocedures in relation to SBA\'s changing financial activities, the objective of which would be to ensure\ncontrols over the data provided to SBA are adequately tested by the service organization\'s auditor.\n\nEffect:\n\nWithout a SAS 70 review by management, SBA is not able to ensure all key processes handled by Colson\nare adequately tested or mitigated by compensating controls. As such, control weaknesses may exist that\ngo unidentified. Specifically, relating to the MRF and MRA, unidentified control weaknesses may exist\nthat lead to inaccurate reporting of fiduciary activities.\n\nAdditionally, with the development of new programs and changes to SBA operations under the American\nRecovery and Reinvestment Act (ARRA) of 2009, Colson will continue to expand the services it provides\nto SBA. Without a process for SBA officials to periodically re-evaluate the objectives of Colson\'s SAS\n70, the risk increases that new Colson process controls will not be adequately tested.\n\nRecommendations:\n\nI. \t We recommend the Chief Financial Officer (CFO) develop and implement policies and procedures to\n     review the SAS 70 Type II procedures to ensure all significant Colson process controls, including\n     over the MRF and MRA, are adequately tested.\n\n2. \t In addition, we recommend that the Office of Financial Assistance Director ensure the Service Level\n     Agreement includes a SAS 70 Type II review for Colson\'s process controls over all significant SBA\n     financial activities.\n\nManagement\'s Response:\n\nSBA management concurs with the findings and recommendations.\n\nLACK OF MANAGEMENT REVIEW OF SBA FORM 78. SEPARATION CHECKLIST\n\nCondition:\n\nIn fiscal year 2008, KPMG issued a Notice of Finding and Recommendation (NFR) related to the\nemployee separation process. The employee separation process is documented within the SBA Form 78,\nwhich documents the signatures of all required clearance officials prior to the separation of an SBA\nemployee. During the first quarter of fiscal year 2009, SBA implemented corrective action to address this\nissue in the form of employee training and a quarterly review of completed separation forms. In fiscal\nyear 2009, KPMG tested the key controls over the employee separation process. Based on our control\ntestwork over 30 employee separation sample items, we noted the following:\n\n\xe2\x80\xa2 \t Three sample items (sample items #12, #13, and #14) were missing the Office of Human Capital\n    Management (OHeM) signature in Section VI of the SBA Form 78.\n\n\n                                                                                                       2\n\x0c                                                                                                 Exhibit I\n                           U.S. SMALL BUSINESS ADMINISTRATION \n\n                                  Management Letter Comments \n\n                                          FY2009 \n\n\n\n\n\xe2\x80\xa2 \t Twelve sample items (#16, #17, #18, #19, #21,22, #23, #24, #26, #27, #29, and #30) were missing\n    the Office of Disaster Assistance (ODA) signature in section VI of the SBA Form 78.\n\n\xe2\x80\xa2 \t For three sample items (#1 and # 2 - Office of Chief Financial Officer (OCFO), and #8 - Office of\n    Field Operations (OFO\xc2\xbb, section I of the SBA Form 78 was not signed by the Division Chief.\n    Section I requires a signature that certifies all required forms have been completed and are attached,\n    and the separated employee\'s work area has been inventoried.\n\n\xe2\x80\xa2 \t For one sample time (#1 - OCFO), the second page of the SBA Form 78 was unavailable for review.\n    The second page of the SBA Form 78 documents the clearance signatures for sections III, IV, V, and\n    VI of the SBA Form 78. Section III requires the signature of an DIG official certifying that if the\n    employee had access to classified information, the employee was debriefed. Section IV documents\n    signatures evidencing whether items such as cellular telephones and pagers were returned. Section V\n    documents the employee\'s certification that all SBA property has been returned to the agency.\n    Section VI documents the signature of the OHCM servicing personnel specialist certifying the\n    appropriate forms were provided to the employee and the final salary disbursements were scheduled\n    for payment.\n\n\xe2\x80\xa2 \t For one sample item (#8 - OFO), section II of the SBA Form 78 was not signed by a Facilities\n    Management Branch (FMB) official. Section II of the SBA Form 78 documents all administrative\n    clearances such as travel credit cards, keys, and property and equipment were returned.\n\nCriteria:\n\nStandard Operating Procedure (SOP) 00-13-5, Chapter 2, Property Management Program, Chapter 2,\nstates:\n\n   "Regional administrators, district directors, disaster area directors, and Headquarters\' division chiefs\n   are designated property control officers for their respective areas of responsibility. As a Property\n   Control Officer, you must:\n\n   Ensure that all SBA property is returned when an employee leaves SBA. Field office heads should\n   indicate compliance by signing and dating SBA Form 78, "Separation Checklist." Headquarters\n   Division Chiefs should initial SBA Form 78 and forward it to the FMB (Facilities Management\n   Branch) for concurrence on the following items: Identification/Fascard, PropertylEquipment and\n   Office!Fumiture-Keys. Once you have obtained all required clearances, forward to the Office of the\n   Chief Human Capital Officer."\n\nOMB Circular A-123 requires that documentation for internal control, all transactions, and other\nsignificant events be readily available for examination.\n\nCause:\n\nOHeM does not currently have a well-defined SOP that specifies the roles and responsibilities of all\nindividuals involved in the separation process.\n\n\n                                                                                                         3\n\x0c                                                                                                 Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION\n                                     Management Letter Comments\n                                                FY 2009\n\n\n\nEtTect:\n\nThe separation checklist is not completed in a consistent and proper manner, which increases the risk that \n\ngovernment assets are not properly safeguarded. \n\n\nRecommendatiogs: \n\n\nWe recommend that the Chief Human Capital Officer (CHCO): \n\n\n3. \t Develop an SOP that clearly delineates the responsibilities of all parties involved in the employee\n     separation process.\n\n4. \t Modifiy current SBA Form 78 procedures to require the employee\'s supervisor be the last signature\n     obtained as part of the separation process. The supervisor should certify all signatures are present\n     prior to signing and then sending the completed form to OHCM, ODA, or OIG.\n\nManagementts Response:\n\nSBA management concurs with the findings and recommendations.\n\nNON COMPLIANCE WITH SOP 50 52 -LOANUQUIDATION AND ACQUIRED PROPERTY\xc2\xad\nUNTIMELY GUARANTY CHARGE-OFFS\n\nCondition:\n\nDuring testwork over loan guaranty charge-ofTs at the Fresno Commercial Loan Servicing Center (CLSC)\nand the Herndon National Guarantee Purchase Center (NOPC), an extended lag time between purchase\nand charge-off was noted in the following 11 sample items:\n\n\n\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n   [FOIA ex. 2]\n\n\n\n\n                                                                                                         4\n\x0c                                                                                                   Exhibit I\n                              u.s. SMALL BUSINESS ADMINISTRATION \n\n                                       Management Letter Comments \n\n                                               FY2009 \n\n\n\n\nCriteria:\n\nSOP 50-52, Consumer Loan Servicing and Collection for Disaster Home Loans, states:\n\n    1) The SBA Policy Regarding Charge-off Accounts, states:\n\n          SBA\'s policy is to be diligent and thorough \'in its collection ofdebt and to promptly charge offall\n          uncollectible accounts [emphasis added}. The charge-off status will more accurately reflect the\n          status of the individual account and the Agency\'s entire portfolio.\n\nSEC. 31001, DEBT COLLECTION IMPROVEMENT ACT (DCIA) OF 1996\n\n    (b) \t The purposes of this section are the following:\n\n          (I) \t To maximize collections of delinquent debts owed to the Government by ensuring quick\n                action to enforce recovery of debts [emphasis added] and the use of all appropriate\n                collection tools.\n\nThe Government Accountability Office\'s (GAO) Standards for Internal Control in the Federal\nGovernment:\n\n          "Transactions should be promptly recorded to maintain their relevance and value to management\n          in controlling operations and making decisions [emphasis added]. This applies to the entire\n          process or life cycle of a transaction or event from the initiation and authorization through its\n          final classification in summary records. In addition, control activities help to ensure that all\n          transactions are completely and accurately recorded."\n\nCause:\n\nBased on discussions with the Center Directors, the majority of the exceptions noted above were caused\nby the Centers\' inheritance from district offices of a large portfolio of loans awaiting charge-off.\nAdditionally, both Directors stated the influx of defaulted loans, coupled with inadequate staffing at the\nCenter, has prevented the timely processing of charge-off actions.\n\nAlso, neither Center had a tracking mechanism to identify the length of time a loan awaits charge-off.\n\nEffect:\n\nA delayed guaranty loan charge-off will prevent accurate reporting of the loan status in the financial\nstatements. Once charged off, SBA recognizes a loss for the net amount of the loan balance and removes\nthe loan receivable recorded at time of purchase.\n\nAdditionally, a delayed charge-off impedes the ability of Treasury to fully pursue recovery for delinquent\nloans.\n\n\n\n\n                                                                                                           5\n\x0c                                                                                              Exhibit I\n                             u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY2009 \n\n\n\n\nRecommendations: \n\n\nWe recommend the Office of Financial Program Operations (OFPO) Director: \n\n\n5. \t Allocate resources as required to address   charge~off actions   in a timely manner.\n\n6. \t Develop a tracking mechanism to ensure loans awaiting charge-off for an extensive period are\n     quickly identified and processed.\n\nManagement\'s Response: \n\n\nSBA management concurs with the findings and recommendations. \n\n\nLACK OF BORROWER REQUEST OR 14-DAYLETTER PRIOR TO LOAN CANCELLATION OR\nREDUCTION\n\nConditions:\n\nKPMG noted the following deviations from SOP 50 30 (6) "Disaster Assistance Program" while\nperforming control testwork at the Ft. Worth Loan Processing and Disbursement Center (POC):\n\n1) For two loans, totaling $241,200, we noted documentation in the chron log was not sufficient to\n   determine whether the borrower verbally requested a loan cancellation or reduction, or whether the\n   cancellation/reduction was due to other factors and should have been processed using the 14-day\n   letter.\n\n   Note: No bankruptcy proceedings were involved in either case described above.\n\nCriteria:\n\nSOP 50 30 6, para. 109.a., Cancellation at Request of Borrower, states:\n\n        When we receive a written or oral request, we may cancel all or any portion ofan approved loan.\n        Be careful before acting on an oral request to ensure cancellation is appropriate.\n\nSOP 50 30 6, para. 109.c., Cancellation Notification Procedure, states:\n\n        (1) \t   Before we initiate an action to cancel all or any funds, we must mail a letter giving 14\n                calendar days\' notice ofthe pending cancellation. The letter must specify the action the\n                borrower can take to prevent the cancellation.\n\n                EXCEPTION: \t A 14-day letter is not required when the cause for the cancellation is due\n                             to the borrower\'s request or we received notification that the borrower\n                             has filed for bankruptcy.\n\n\n\n                                                                                                      6\n\x0c                                                                                                 Exhibit I\n                             u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY 2009 \n\n\n\n          (2) \t   Prior to submitting the loan modification for cancellation of the loan, the loan officer\n                  should contact the borrower to explain our action and the reasons for the cancellation.\n                  The loan officer will advise the borrower that written notification is forthcoming which\n                  will include information regarding the method and the deadline for requesting\n                  reinstatement (see paragraph 11 O. a.). The loan officer must also advise the borrower\n                  that ifwe approve the reinstatement request, new loan closing documents will be issued\n                  and that the original documents are no longer valid and should be destroyed.\n\n                  NOTE: The chron log should clearly reflect the details ofthis conversation; the reason(s)\n                        for the cancellation, the reinstatement process, and if approved, the issuance of\n                        new loan closing documents.\n\nGAO\'s Standards for Internal Control in the Federal Government, states, "control activities .. .include a\nwide range of diverse activities such as approvals, authorizations, verifications, reconciliations,\nperformance reviews, maintenance of security, and the creation and maintenance of related records which\nprovide evidence of execution of these activities as well as appropriate documentation." In addition,\n"access to resources and records should be limited to authorized individuals, and accountability for their\ncustody and use should be assigned and maintained."\n\nIn addition, the U.S. Department of Treasury\'s Management ofFederal Receivables states, "Accurate and\ncomplete documentation is critical to providing proper servicing of debt, pursuing collection of delinquent\ndebt, and in the case of guaranteed loans, processing claim payments."\n\nCause:\n\nLoan officers and customer service representatives did not sufficiently document the facts and\ncircumstances of the conversations with the borrowers.\n\nEffect:\n\nCancellations totaling $241,200 were not properly supported by either a borrower request or 14-day letter.\n\nRecommendation:\n\n7. \t We recommend the Director of the Fort Worth PDC provide guidelines to staff that outline what\n     constitutes proper file documentation to ensure that a reviewer of the file may determine the origin of\n     loan cancellations.\n\nManagement\'s Response:\n\nSBA management concurs with the finding and recommendation.\n\n\n\n\n                                                                                                          7\n\x0c                                                                                                      Exhibit I\n                               U.S. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY2009 \n\n\n\nNONCOMPLIANCE WITH SOP 50 51 2A - LOAN LIQUIDATIONAND ACQUIRED PROPERTY \xc2\xad\nMISSING DOCUMENTATION WITHIN LOAN FILES\n\nCondition:\n\nDuring our testwork over guaranty loan charge-offs at the Fresno CLSC, we noted the following instances\nof inadequate documentation in the sample items reviewed:\n\n1) Credit Bureau Report\n\n       For one 504 loan, the loan specialist failed to obtain a credit bureau report prior to charge-off. A\n       credit bureau report is utilized to identify resources that could be used to pay down loan debt and to\n       ensure the borrower is properly referred to Treasury at time of charge-off.\n\n2) Cost/Benefit Analysis Supporting Forfeiture of Lien by SBA\n\n       One 504 loan was secured by a second lien on real estate with a loan balance of $1 ,419,095.53 at time\n       of borrower default. The liquidation efforts were completed by the District Office and the loan file\n       was shipped to Fresno for charge-off. It appeared the SBA District Office\xc2\xb7 abandoned collection\n       efforts associated with the property lien in exchange for $ I 0,000 received from the senior lien holder.\n       An appraisal located within the loan file suggested the fair market value of the property was\n       significantly higher than the $10,000 offer accepted by SBA. Based on comments included within the\n       Charge-off Form 327, Modification or Administrative Action, the Fresno CLSC recommending\n       official was unable to clearly identify the liquidation efforts taken by the District Office.\n\n       KPMG was ultimately able to ascertain the lien forfeiture was in the best interest of the agency\n       through follow-up discussions with the District Office and the Office of Financial Assistance (OF A)\n       after the issue was presented to management. However, the information provided subsequent to\n       KPMG\'s review was not docUmented within the loan file in the form of a costfbenefit analysis at time\n       of review and approval by the charge-off official.\n\nCriteria:\n\nJ) \t       SOP 5051 2(A), Loan Liquidation and Acquired Property - Chapter 18, "Charge-off Procedures"\n           17) What Financial Information is Needed on Debtor?\n           You must have current credit information on each obligor to support a charge-off, (Le., Dun and\n           Bradstreet, Equifax, or Credit Bureau Report).\n2) \t       SOP 50 512(A), Loan Liquidation and Acquired Property - Chapter 6, "SBA-Serviced\n           Liquidation"\n           1. What is SBA\'s Policy for SBA-Serviced Liquidations?\n           a) You must direct your efforts toward maximizing recovery in a minimum amount of time.\n           b) You must promptly proceed to locate, identify, assess, and protect all pledged real and personal\n                  property.\n\n\n                                                                                                              8\n\x0c                                                                                                   Exhibit I\n                             u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY 2009 \n\n\n\n3) \t     SOP 50 51 2(A), Loan Liquidation and Acquired Property - Chapter 6, "SBA-Serviced\n         Liquidation"\n         13. Release/Subordination of Agency Lien.\n         Recommendations for release and/or subordination of SBA lien on loans "in liquidation" will\n         only be considered if they clearly are in the Agency\'s best interest. Release/subordination should\n         be used to effect maximum recovery. Each action will be considered based on its effect on the\n         value of the collateral and the ability to obtain greater overall recovery on the loan.\n\nCause:\n\nThe above matters occurred because SBA personnel did not adhere to SOP requirements.\n\n\n\nThe deficiencies noted above increase the risk of invalid charge-offs. In addition, there is a risk that the \n\nagency may not maximize its collection efforts. \n\n\nRecommendations: \n\n\nWe recommend the OFPO Director: \n\n\n8. \t Reinforce, through the issuance of memorandum, the importance of the credit bureau report and/or\n     asset search review prior to charge-off.\n\n9. \t Ensure all offices are adequately documenting lien release decisions. This should be in the form of a\n     liquidation analysis included within the SBA Form 327 or other supporting documentation and should\n     clearly evidence the action was in the best interest of the Agency.\n\nManagement\'s Response:\n\nSBA management concurs with the findings and recommendations.\n\nIMPROPER PAYMENT- OVERPAYMENT OF INTEREST AT TIME OF GUARANTY\nPURCHASE\n\nCondition:\n\nWhile performing testwork over guaranty loan purchases at the Fresno CLSe, KPMG identified SBA\ninterest overpayment made to a lender under the 7(a) FA$TRAK program.\n\nThe Loan Officer documented on SBA Form 327 that the lender had successfully liquidated the loan\ncollateral and net proceeds were to be applied to 120 days of interest in arrears. At the time of actual\nliquidation, SBA determined that only 52 days of interest, or $1,606.49, was actually in arrears. However,\nthe recommending official did not enter the interest purchase adjustment detailed on the SBA Form 327\n\n\n\n\n                                                                                                           9\n\x0c                                                                                                 Exhibit I\n                              u.s. SMALL BUSINESS ADMINISTRATION \n\n                                       Management Letter Comments \n\n                                               FY2009 \n\n\n\ninto the Guaranty Purchase Tracking System (GPTS). Consequently, SBA paid 120 days of interest\ntotaling $3,707.28.\n\nCriteria:\n\nsop 50 51 2, Loan Liquidation & Acquired Property, Chapter 10, "Special Programs" states:\n          2. FA$TRAK Program.\n            e. How are proceeds from the sale of collateral handled?\n                  Proceeds from the sale of collateral must be applied in the following order:\n                  \xe2\x80\xa2 \t To expenses associated with the liquidation;\n                  \xe2\x80\xa2 \t To interest (NOT to exceed 120 days of interest on the balance as of the earliest\n                      uncured payment default); and\n                  \xe2\x80\xa2 \t To any principal balance.\n            g. How is the amount purchased detennined?\n               , \t The purchase amount will consist of the SBA guaranteed percentage of the balance\n                   remaining after liquidation plus up to 120 days of interest calculated at the note rate\n                   minus 1 percent (if liquidation proceeds were insufficient to cover a full 120 days of\n                   interest) based on the balance outstanding at the time ofthe earliest uncured default.\nThe Improper Payments Infonnation Act of 2002, states:\n          IMPROPER PAYMENT. The term "improper payment" (A) means any payment that should\n          not have been made or that was made in an incorrect amount (including overpayments and\n          underpayments) under statutory, contractual, administrative, or other legally applicable\n          req uirements;\n\nCause:\n\nThe approving official did not adequately review and compare supporting documentation to the GPTS\nbalance prior to approving the purchase amount in GPTS.\n\nEffect:\n\nSBA made an overpayment in the amount of $2, 10 1.\n\nRecommendation:\n\n10. \tWe recommend the OFPO Director reinforce the importance ofa thorough review of both GPTS and\n     the SBA Form 327 by approving officials to ensure they are in agreement at time of purchase.\n\nManagement\'s Response:\n\nSBA management concurs with the finding and recommendation.\n\n\n                                                                                                       10\n\x0c                                                                                                 Exbibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY2009 \n\n\n\n\nLACK OF APPROVING OFFICIAL REVIEW OF GUARANTY LOAN CHARGE-OFF\n\nCondition:\n\nDuring our testwork over the guaranty loan charge-off process at the NGPC, we noted a lack of approving\nofficial review on SBA Form 327, Modification or Administrative Action, and within the GPTS for loan\nNo. [FOIA ex. 2]   in the amount of $275,762.35 (the total approved amount of the loan). This error was\nnot identified by the loan servicing assistant during LAUD15 data entry processing.\n\nCriteria:\n\nSOP 50 51 2(A), Loan Liquidation & Acquired Property, Chapter 3 "Correspondence, Reports, and\nControl Systems", states:\n\n          "3) What is SBA Form 327, Modification or Administrative Action?\n         The term "Modification or Administrative Action" refers to an action to modify the authorization\n         or other actions which are necessary to help the borrower respond to a business growth\n         opportunity or to respond to a problem. It also refers to actions that SBA may take that would\n         affect the loan (e.g., change the status of loan from regular servicing to "in-liquidation", to\n         transfer the loan from one lender to another, etc.)\n\n         All 327 actions require approval under the rule of two authority." [emphasis added]\n\nAs stated in the "LAUD15 Data Entry & Outprocessing Guidelines":\n\n         "LAUDI5 - To Recommend Charge-off\n\n         Enter "Y" (Yes) 3 times confirming this is proper, LAUD13 completed & PMNUOI has been\n         addressed. "\n\nCause:\n\nKPMG noted the Q-Term processor (loan servicing assistant) in charge of the final review of the SBA\nForm 327 incorrectly confirmed that all required officials had approved the action on the LAUD 15 screen\nwithin Q- Term.\n\nAdditionally, in the LAUDl5 processing procedures document, which is used as a reference tool by loan\nprocessing personnel, SBA explicitly instructs the processor to answer \'Yes\' to all questions on the\nLAUD15 screen. While all answers must ultimately be \'yes\' for an approving official to charge-off, the\nguidelines should be stated so that the processor reviews each individual question and verifies the answers\nare \'yes\' prior to inputting \'Y\' on the LAUD15 screen.\n\n\n\n\n                                                                                                        11\n\x0c                                                                                                 Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION\n                                     Management Letter Comments\n                                                FY 2009\n\n\nEffect: \n\n\nLack of documented approving official\'s review on the SBA Form 327 increases the risk of improper \n\ncharge-offs being performed and recorded in the general ledger. Furthermore, improper charge-off \n\nprocedures may limit SBA\' s recovery on delinquent loans from collateral or through litigation. \n\n\nRecommendations: \n\n\nWe recommend the OFPO Director should: \n\n\nII. \tReinforce, through training of all personnel involved in the charge-off process, the importance of\n     thoroughly reviewing the charge-off administrative action.\n\n12. \tConduct periodic (at least quarterly) rev~ews of completed charge-offs to ensure that all appropriate\n     personnel sign the administrative action.\n\n13. \tRevise the LA un 15 processing procedures to require the LAun processor to verify that all required\n     signatures are present on the administrative action.\n\nManagement\'s Response:\n\nSBA management concurs with the findings and recommendations. \n\n\nNONCOMPLIANCE WITH SOP 5051 2(A) - LOANLIQUIDATIONAND ACQUIRED PROPERTY \n\n- UNFULFILLED DOCUMENTATIONREQUIREMENTS BY LENDER (HERNDON) \n\n\nConditions: \n\n\nDuring our testwork over guaranty loan charge-otIs at the NOpe, we noted the following instances in \n\nwhich the related documentation was incomplete:\n\n        Lender Wrap up Report\n\n        For five of the loans tested, we noted SBA personnel failed to obtain a Lender Wrap up Report\n        documenting the lender\'s actions and results in regards to liquidation efforts prior to charge-off.\n\nCriteria:\n\n1)      SOP 50 51 2(A), Loan Liquidation and Acquired Property - Chapter 10,. "Special Programs",\n        states: \n\n\n        p) When must the lender provide a "wrap up report?" \n\n\n        i) The lender must provide SBA with a wrap up report documenting the lender\'s actions and \n\n        results. \n\n\n\n\n\n                                                                                                        12\n\x0c                                                                                                  Exhibit I\n                            U.S. SMALL BUSINESS ADMINISTRATION \n\n                                   Management Letter Comments \n\n                                           FY2009 \n\n\n\n                (I) When the lender determines that the loan will not be fully repaid after all worthwhile\n                  collateral has been liquidated; and\n\n                (2) No \tfurther recoveries are anticipated within a reasonable period of time, (see\n                  Appendix 18, "Final Wrap Up Report" checklist).\n\nCause: \n\n\nThe attorney who reviewed the loan file at time of charge-off incorrectly concluded on the Guaranty \n\nCharge-off Checklist that the lender had submitted a wrap up report for two of the loans. In addition, \n\nthere were no Charge-Off Checklists completed for three other loans prior to charge-off. \n\n\nEffect:\n\nThe deficiencies noted above increase the risk that invalid charge-offs will be made in the system. In \n\naddition, there is a risk that the agency will not maximize its collection efforts. \n\n\nRecommendations: \n\n\nWe recommend the OFPO Director: \n\n\n14. Modifies the administrative action to require that the recommending official be given the choice of\n    two available options when completing the Guaranty Charge-off Checklist as follows:\n\n   \xe2\x80\xa2 \t The lender wrap up report was submitted by the lender, or\n\n   \xe2\x80\xa2 \t There is sufficient information in the lender correspondence to satisfy the wrap up report\n       requirement.\n\nManagement\'s ReSpOnse: \n\n\nSBA management concurs with the findings and recommendations. \n\n\nLACK OF SUFFICIENT QUARTERLY REVIEWAND UNTIMELY DE-OBLIGATION OF\nUNDELIVERED ORDERS\n\nCondition:\n\nKPMG tested a sample of 75 Undelivered Orders (UDOs) as of September 30, 2009, and noted the\nfollowing exceptions:\n\n1) \t The quarterly review of open obligations reports was incomplete. Currently, SBA requires program\n     offices to conduct a quarterly review of their respective undelivered orders. However, the individual\n     reports are reviewed at different cut-off dates, and therefore, it is difficult to agree the total UDOs\n     reviewed to the agency\'s accounting books and records as ofa specific date.\n\n\n\n                                                                                                         13\n\x0c                                                                                                Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                     Management Letter Comments \n\n                                             FY2009 \n\n\n\n2) \t Five of the items were not properly de-obligated. The amount obligated related to these items totaled\n     approximately $193,000.\n\nCriteria:\n\nOMB Circular A-123. section I, defines management controls as "the organization, policies and\nprocedures used by agencies to reasonably ensure that: (i) programs achieve their intended results;\n(ii) resources are used consistent with agency mission; (iii) programs and resources are protected from\nwaste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely\ninformation is obtained, maintained, reported, and used for decision making."\n\nOMB Circular A-123, section II, goes on to indicate, "Monitoring the effectiveness of internal control\nshould occur in the normal course of business. In addition, periodic reviews, reconciliations or\ncomparisons of data should be included as part of the regular assigned duties of personnel. Periodic\nassessments should be integrated as part of management\'s continuous monitoring of internal control,\nwhich should be ingrained in the agency\'s operations."\n\nCause:\n\nThe errors appear to be attributed to human error and oversight related to the obligation process. The\nissues noted above are indicative of a lack of management/supervisory review of controls to ensure the\nexistence and accuracy of the financial information recorded. Furthermore, the precision of the review\ndoes not appear detailed enough given there is no overall monitoring to ensure a complete list of UDOs\nare reviewed, since we identified exceptions in our testwork.\n\nEffect:\n\nUntimely approval and posting of obligations and de-obligations within Oracle indicate inconsistencies in\nobligating procedures, and could result in an invalid obligation being made or remaining after it is no\nlonger appropriate.\n\nUDOs are overstated in the amount of$193,000.\n\nRecommendations:\n\nWe recommend the CFO:\n\n15. Continue to strengthen monitoring procedures \tover controls surrounding review and approval of\n    obligations;\n\n16. Continue to review undelivered orders periodically to ensure that amounts are properly de-obligated\n    as necessary.\n\nManagement\'s Response: \n\n\nSBA management concurs with the findings and recommendations. \n\n\n\n                                                                                                       14\n\x0c                                                                                               Exhibit I\n                           u.s. SMALL BUSINESS ADMINISTRATION\n                                     Management Letter Comments \n\n                                             FY 2009 \n\n\n\n\nIMPROVEMENTS NEEDED IN THE APPROVAL OF PAYROLL AND PERSONNEL ACTIONS\n\nCondition:\n\nDuring our testwork performed over 60payroll sample items for the period from October 1, 2008 to\nMay 31,2009, we noted the following:\n\n1) \t For three sample items (Denver [1] and Herndon [2], we noted that the OPM SF-52s, Request for\n     Personnel Action, did not contain the authorization signature. Additionally, for one sample item\n     (Headquarters), the Office of Personnel Management (OPM) SF-52 was not signed by the employee.\n\n2) \t For one sample item, the original OPM Form 71, Request for Leave or Approved Absences, was not\n     signed by the employee\'s supervisor. The employee worked in the Office ofField Operations (OFO).\n\n3) \t For three sample items the STAR Time and Attendance (T&A) worksheets were not signed by the\n     employees\' supervisors. The three T&A exceptions noted related to employees working in the Office\n     ofInternational Trade (I item), OFO (I item), and the Los Angeles District Office (l item).\n\nCriteria:\n\nSBA\'s Guide to Preparing the OPM SF M   52, Request for Personnel Action Part A Requesting Office, states\nthat "6 ACTION AUTHORIZED BY Enter name, title, date, and signature of person authorized to\napprove the personnel or position action requested."\n\nSOP 36 00, Attendance and Leave, states that "supervisors are responsible for ensuring that all employees\nunder their supervision have worked the proper number of hours for the work schedule selected before\nsigning individual Time and Attendance Reports."\n\nSBA Manager\'s Toolkit states, "Ensure all STAR T&A worksheets are signed by timekeeper, employee,\nand supervisor. Ensure OPM Form 71 (Request for Leave or Approved Absence) is completed and\napproved in a timely manner. Do not make handwritten changes to the OPM Form 71 without initialing or\nsigning, which indicates approval by management. Ensure timekeepers do not transmit T&A before all\nthe proper signatures are obtained."\n\nOMB Circular AM 123, requires that "documentation for internal control, all transactions, and other\nsignificant events be readily available for examination."\n\nCause:\n\nSBA does not have an effective control in place to detect payroll forms and actions that have not been\nproperly approved and retained.\n\n\n\nLack of approved OPM SFM\n                       52s increases the risk that unauthorized personnel actions are processed.\n\n\n                                                                                                      15\n\x0c                                                                                                  Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY 2009 \n\n\n\n\nLack of approved T&A worksheets and OPM Fonn 71 s by the supervisor or timekeeper increases the risk \n\nthat incorrect hours and annual leave may be processed. \n\n\nRecommendations: \n\n\nWe recommend the CHCO work with: \n\n\n17. The Director \tof Administration, Office of Disaster Assistance, to reinforce the importance of\n    obtaining the required signatures on the OPM Form SF-52.\n\n18. \tThe Deputy of OFO to reinforce the importance of the approval of OPM Fonn 71 through periodic\n     training or interim monitoring.\n\n19. The Associate Administrator for the Office of Capital Access, Los Angeles District Director, and the\n    Deputy of OF A to reinforce the importance of the approval of T&A worksheets through periodic\n    training or interim monitoring within their respective program offices.\n\nManagement\'s Response:\n\nSBA management concurs with the fmdings and recommendations.\n\nIMPROVEMENT NEEDED TO ENSURE SOPS ARE CURRENT\n\nCondition:\n\nIn fiscal year 2008, we issued NFR-2008-12 which noted that SOP 00 08 (2), National 4/93\nOrganizational Structure, was not up-to-date to reflect the current titles and functions, organizational\ncharts, and responsibility/authorities of SBA offices. While SBA made several minor revisions to this\nSOP in 2005 and 2006 to chapters I, 2, and appendix 2, the majority of the SOP, which includes\norganization charts, mission statements, responsibilities, service areas, jurisdictions, etc .\xe2\x80\xa2 has not been\nupdated since 1993. SBA management responded to NFR-2008-12 by stating that it concurred with the\nfinding and would review and update the organization-specific portions of SOP 00 08 (2) by\nSeptember 30, 2009.\n\nWe re-examined the status of SOP 00 08 (2) revisions as part of our entity-level control testwork in fiscal\nyear 2009. We noted that no progress has been made as of September 10,2009 to update and revise the\noutdated information contained in the SOP.\n\nCriteria:\n\nOMB Circular A-123, Internal Control over Financial Reporting, states, "A factor affecting the control\nenvironment is the agency\'s organizational structure. It provides management\'s framework for planning,\ndirecting and controlling operations to achieve agency objectives. A good internal control environment\nrequires that the agency\'s organizational structure clearly define key areas of authority and responsibility\nand establish appropriate lines of reporting.\n\n\n                                                                                                         16\n\x0c                                                                                                    Exhibit I\n                             U.S. SMALL BUSINESS ADMINISTRATION \n\n                                    Management Letter Comments \n\n                                            FY2009 \n\n\n\n\nSOP 00 08, Organizational Structure, states, "The AAlHCM will revise this SOP (title changes,\nfunctional statements, organizational charts, etc.), update the organizational structure data in the personnel\nand payroll data system, and request that the Office of Administration prepares Agency and Federal\nRegister notifications (if required)."\n\nCause:\n\nBased on discussion with OHCM personnel, the SOP has not been revised because there are higher\npriority issues within the agency and limited resources.\n\nEffect:\n\nThe lack of a documented organizational structure and clearly defined policies and procedures of key\nareas of authority and responsibility can negatively impact SBA\'s overall control environment.\n\nRecommendation:\n\n20. We \t recommend the CHCO revise the SOP for organizational structure to reflect the current\n    organizational structure including title changes, functional statements, organizational charts, and\n    responsibilitylauthorities.\n\nManagement\'s Response:\n\nSBA management concurs with the finding and recommendation.\n\nLACK OF DOCUMENTATION FOR EMPLOYEE COSTALLOCATIONSURVEYAND\nINCORRECT DATA PROVIDED IN SURVEY RESULTS\n\nCondition:\n\nAs part of our Statement of Net Cost methodology testwork, we selected a sample of employee surveys to\nvalidate the cost allocation report downloaded from SBA\'s costing system, OROS ABC Model. This\nsystem supports the allocated amounts in SBA\'s Statement of Net Cost and the Stewardship Investments\nin Human Capital reported in the Required Supplementary Stewardship Information section of the\nfinancial statements. We noted for one of 26 sample items selected for testing that SBA was unable to\nprovide the supporting employee\'s survey.\n\nUpon requesting the file from the Arizona District Office, which was listed as the employee\'s office per\nthe cost allocation report, we were informed by management that the individual was actually working for\nthe Office of Capital Access at the Citrus Heights District Office. We verified this through documents,\nincluding OPM SF-50 - Notification of Personnel Action, Time and Attendance Report, and Form\nAD-334 - Earnings and Leave Statement, which we received as part of our payroll testwork. The Citrus\nHeights District Office was also unable to provide us with a copy of the employee survey.\n\n\n\n\n                                                                                                           17\n\x0c                                                                                                Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                     Management Letter Comments \n\n                                             FY 2009 \n\n\n\nCriteria:\n\nSBA must allocate the net cost of operations over major goals, and the programs within these goals.\nOMB Circular A-136, Financial Reporting Requirements, states:\n\n   "The Statement ofNet Cost should show the net cost of operations for the reporting entity by major\n  program, which should relate to the major goal(s) and outputs(s) described in the entity\'s strategic and\n  performance plans, required by GPRA. These major programs must be organized into meaningful\n  groups which must be an organized set ofactivities, directed toward a common purpose or goal. The\n  reporting entity should accumulate and assign costs to these major programs in accordance with the\n  costing methodology in SFFAS No.4."\n\nThe Statement of Federal Financial Accounting Standards No.4, Managerial Cost Accounting Concepts\nand Standards for the Federal Government, states:\n\n    "The costing methodology used by an entity should be appropriate for management\'s needs and the\n  operating environment and should allow outputs produced to accumulate by type of resource that\n  directly or indirectly contributes to the production of those outputs. This system should also be\n  capable ofidentifying costs within responsibility segments. The costing methodology chosen should be\n  followed consistently and the cost assignments should be performed within the system on a regular\n   basis. "\n\nSBA Procedural Notice 2000-767, FY 2009 Cost Allocation Survey, states:\n\n   "Supervisors are required to ensure that all of their employees complete the survey and must. review\n  their employees\' survey responses. After completing the survey, all employees must provide their\n  immediate supervisor with a printed copy of their survey responses. After the supervisor signs the\n  printed survey, the employee must "submit" the survey".\n\nCause:\n\nThe employee incorrectly filled out the survey by indicating his office location as Arizona, instead of\nCitrus Heights, and the error was not detected as part ofSBA\'s established review process.\n\nEffect:\n\nThe error in office code on the survey was not found through supervisory review; as such, the costs\nassociated with this employee were not allocated to the appropriate district office. A copy of the\nemployee survey was not kept in the employee file; and as such, we were not able to verify that the costs\nrelated to this employee\'s activities were allocated to the appropriate activity.\n\nThe percentages that are developed from survey results from each office allocate costs across SBA\'s\noperations. The aggregation of errors such as this can lead to the generation and use of incorrect\ninformation in making management decisions and in allocating resources across agency programs and to\nindividual offices. The misallocations could also lead to the presentation of incorrectly calculated\ninformation for the Statement of Net Cost and the Stewardship Inve~tments in Human Capital.\n\n\n                                                                                                       18\n\x0c                                                                                               Exbibit I\n                           u.s. SMALL BUSINESS ADMINISTRATION \n\n                                     Management Letter Comments \n\n                                             FY 2009 \n\n\n\n\nRecommendation:\n\n21. \tWe recommend the OFPO Director ensure that SBA supervisory personnel at the Citrus Heights\n     office follow the procedural notice issued to all SBA employees.\n\nManagement\'s Response: \n\n\nSBA management concurs with the finding and recommendation. \n\n\nWEAK CONTROLS EXIST OVER BACKGROUND INVESTIGATIONS\n\nCondition:\n\nDuring fiscal year 2009, we found that controls over security management were weak. Specifically, we\nnoted that approvals for successfully completed clearance documents were not retained for all selected\nnew hires. We sampled a total of 15 new hires; however, two of the requested SBA Form 1228s, which\nevidence the successful completion of a background investigation were either incomplete or could not be\nprovided. We noted that the missing forms were for new SBA employees. Therefore, we were unable to\ndetermine if all new staffwas successfully cleared before their employment began.\n\nCriteria:\n\nThe Federal Infonnation Security Management Act (FISMA) requires Federal agencies to\ncomply with infonnation security guidance issued by the National Institute of Standards and\nTechnology (NIST).\n\nOMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources,\nrequires Federal agencies to screen individuals applying for access to government data and systems based\non the level of risk presented by their access.\n\nSOP 3300-2, Employment, states, "The SBA requires the completion of a Single Scope Background\nInvestigation before employing you."\n\nCause:\n\nManagement represented to us that competing resources have prevented SBA from implementing policies\nand procedures within SOP 3300-2, Employment, which addresses the retention of background\ninvestigation forms.\n\nEffect:\n\nIncomplete documentation supporting the completeness of initial and follow-up background\ninvestigations may lead to issues with security related personnel policies. For example, without evidence\n\n\n\n\n                                                                                                      19\n\x0c                                                                                                   Exhibit I\n                            U.S. SMALL BUSINESS ADMINISTRATION \n\n                                   Management Letter Comments \n\n                                           FY2009 \n\n\n\nof background investigations, the requirement to update security clearance certifications based upon \n\nposition sensitivity changes may be overlooked. \n\n\nRecommendations: \n\n\nWe recommend the Chief Information Officer (CIO): \n\n\n22. Timely conf"tnn the validity of the missing employees\' background investigations identified in the\n    condition above.\n\n23. Oversee and enforce the authorization and document retention \tof the clearance documents for all\n    employees and contractors.\n\nManagementts Response: \n\n\nSBA management concurs with the finding and recommendations. \n\n\nINADEQUATE DOCUMENT RETENTION FOR ALTERNATE PROCESSING CONTRACTS \n\n\nCondition: \n\n\nDuring our fiscal year 2009 test work, KPMG noted that the New World Apps provides the alternate \n\nprocessing services for the Local Area NetworklWide Area Network (LANIWAN), Financial Reporting \n\nInformation System (FRIS), and E-Tran. Upon reviewing the contractual agreement, we noted that the \n\ncontract does not indicate the period of coverage. The document only stated the contract\'s date of order, \n\nwhich was September 4,2008. Therefore, the period of coverage for the contract was unclear. \n\n\nCriteria: \n\n\nFISMA requires federal agencies to comply with information security guidance issued by NIST. \n\n\nSOP 90 47 2, Automated Information System Security Program, states, "Regardless of which type of off\xc2\xad\nsite alternate site is used, there are six possible scenarios that apply for backup and recovery capability.\nRegular backups by system administrators, associated backup documentation, and the process for security\nadministrative passwords should be established to provide a basic level of recovery capability in addition\nto incorporating any of the additional techniques emphasized above. (Appendix V, page 41)"\n\nNIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems,\nstates, "One common preparation [ ... ] is to establish contracts and agreements, if the contingency strategy\ncalls for them (Chapter 11)."\n\nCause:\n\nLack of management oversight has resulted in the Office of the Chief Information Officer (OCIO) staff\nneglecting to prioritize the retention of key third party contracts.\n\n\n\n                                                                                                          20\n\x0c                                                                                                   Exhibit I\n                             u.s. SMALL BUSINESS ADMINISTRATION \n\n                                      Management Letter Comments \n\n                                              FY 2009 \n\n\n\nEffect:\n\nThe lack of retained contractual information. such as the date of coverage for services, can lead to \n\ninconsistency in authorized and agreed services by vendors. \n\n\nRecommendation: \n\n\n24. We recommend the CIO ensure that third party contracts remain current and reflect the period of\n    coverage.\n\nManagement\'s Response: \n\n\nSBA management concurs with the finding and recommendation. \n\n\nTRAINING FOR INFORMATION TECHNOLOGY (11) SECURITY PERSONNEL IS\nINADEQUATE\n\nCondition:\n\nDuring our testwork, we determined that a mandatory training program for IT security personnel is not\nplace. The current process used by the OCIO is to recommend courses to IT Security personnel; however,\nthis process is relatively informal as attendance is neither mandatory nor tracked for compliance.\n\nCriteria:\n\nFISMA requires federal agencies to comply with information security guidance issued by NIST.\n\nOMB Circular A-130, Appendix III, addresses training as an element of a system security plan for a\ngeneral support system and as an element of an application security plan for a major application.\nRegarding the training element of a system security plan, the Circular states, "Ensure that all individuals\nare appropriately trained in how to fulfill their security responsibilities before allowing them access to the\nsystem. Such training shall ensure that employees are versed in the rules of the system [ ... ] and apprise\nthem about available technical assistance and technical security products and techniques."\n\nNIST Special Publication 800-50, Building and Information Technology Security Awarness and Training\nProgram, states, "An awareness and training program is crucial in that it is the vehicle for disseminating\ninformation that users, including managers, need in order to do their jobs. In the case of an IT security\nprogram, it is the vehicle to be used to communicate security requirements across the enterprise."\n\nCause:\n\nManagement represented to us that competing resources have prevented the implementation of a\nmandatory training program for IT security personnel. However, the aCIO has plans to implement a\nprogram within fiscal year 2010.\n\n\n\n\n                                                                                                           21\n\x0c                                                                                           Exhibit I\n                            u.s. SMALL BUSINESS ADMINISTRATION \n\n                                     Management Letter Comments \n\n                                             FY 2009 \n\n\n\nEffect:\n\nThe lack of a mandatory training program for IT security personnel can lead to inconsistent and \n\ninadequate knowledge ofjob function duties. \n\n\nRecommendations: \n\n\nWe recommend the CIO: \n\n\n25. Require effective training programs for IT security personnel.\n\n26. Develop a method of monitoring the training program to ensure compliance by all personnel with IT\n    security roles and responsibilities.\n\nManagement\'s Response: \n\n\nSBA management concurs with the finding and recommendations. \n\n\n\n\n\n                                                                                                  22\n\x0c                                                                                                         Exhibit II\n\n                                     U.S. Small Business Administration\n\n                                         Status of Prior Year Comments \n\n\n                                                        FY2009 \n\n\n\n\n            Fiscal Year 2008 Comment                                      Fiscal Year 2009 Status\nImprovement needed on SBA\'s processes to Revised and repeated in Exhibit I, page 4, under the\nprovide guidance and improve the timely charge-off following heading:\nof delinquent loans.\n                                                   \xe2\x80\xa2 Non compliance with SOP 50 52-Loan Liquidation\n                                                       and Acquired Property-untimely guaranty charge\xc2\xad\n                                                       offs\xc2\xb7\n\n\n\nImprovement needed in adherence to IT general              Resolved\ncontrol procedures and in review of payments prior\nto processing by Treasury.\n\n\nNo pursuit of collateral prior to direct loan charge-      Resolved\noff in compliance with SOP 5052 (1) Consumer\nLoan Servicing and Collections for Disaster Home\nLoans.\n\n\nSOP fmdings associated with direct loan servicing Revised and repeated in Exhibit I, page 6, under the\nat the Fort Worth loan processing and disbursement following heading:\ncenter.\n                                                   \xe2\x80\xa2 Lack of borrower request or J4-day letter prior to\n                                                       loan cancellation or reduction.\n\nInadequate review of the loan loss reserve fund            Resolved\ndocumentation submitted by intermediaries in the\nMicroloan Program.\n\n\nLegal review is not being performed in accordance Resolved\nwith SOP 50 51 2(A), Loan Liquidation and\nAcquired Property.\n\n\n\nLack of legal review on SBA Form 327 for loan              Revised and repeated in Exhibit I, page 10, under the\nguaranty charge-off.                                       following heading:\n\n                                                           \xe2\x80\xa2   Lack ofapproving offiCial review ofguaranty loan\n                                                               charge-off.\n\n\n\n                                                           1\n\x0c                                                                                                   Exhibit II\n\n                                    u.s. Small Business Administration \n\n                                       Status of Prior Year Comments \n\n\n                                                 FY 2009 \n\n\nLack of legal review documentation for charge-off Revised and repeated in Exhibit I, page 10, under the\nactions by the office of general counsel related to following heading:\nthe Small Business Investment Company (SBIC)\nprogram.                                            \xe2\x80\xa2 Lack ofapproving official review ofguaranty loan\n                                                        charge-off\n\n\nMissing loan files                                   Revised and repeated in Exhibit I, pages 7 and 11\n                                                     respectively, under the following headings:\n\n                                                     \xe2\x80\xa2   Noncompliance with SOP 50 51 2A \xc2\xad Loan\n                                                         Liquidation and Acquired Property-missing\n                                                         documentation within loan files.\n\n                                                     \xe2\x80\xa2   Noncompliance with SOP 50 51 2A -Loan\n                                                         Liquidation and Acquired Property \xc2\xad tmfulfilled\n                                                         documentation requirements by the lender\n                                                         (Herndon).\n\n\nImproper referral of debtor to Treasury.             Resolved\n\n\n\nImprovement needed in loan guaranty approval Resolved\nprocess controls in order to prevent approval of\nduplicate loans.\n\nImprovement needed in the Office of Credit Risk Resolved\nManagement (OCRM) documentation of departures\nfrom the general standards stated in SOP 51 00, On-\nsite Lender Reviews/Examinations.\n\n\n\nImprovement needed in the new hire personnel Revised and repeated in Exhibit I, page 2 and 14\naction, and employee separation process.     respectively, under the following headings:\n\n                                                     \xe2\x80\xa2   Lack ofmanagement review ofSBA Form 78,\n                                                         "Separation Checklist".\n\n                                                     \xe2\x80\xa2   Improvements needed in the approval ofpayroll\n                                                         and personnel actions.\n\n\n\n\n                                                     2\n\x0c                                                                                                    Exhibit II\n\n                                  U.S. Small Business Administration\n\n                                     Status of Prior Year Comments \n\n\n                                                FY2009 \n\n\nEnhancement needed to ensure the SOP related to Revised and repeated in Exhibit I, page 15, under the\nSBA\'s organizational structure is current.      following heading:\n\n                                                     \xe2\x80\xa2    Improvement needed to ensure SOPs are current.\n\n\nUntimely de-obligation of undelivered orders and a   Revised and repeated in Exhibit L page 13, under the\nneed to improve documentation records.               following heading:\n\n                                                     \xe2\x80\xa2    Lack ofsuffiCient quarterly review and untimely de-\n                                                          obligation ofundelivered orders.\n\n\n\nInternal controls surrounding Congressional Grant    Resolved\nmonitoring\n\n\n\n\n                                                     3\n\n\x0c'